Tuesday, December 14, 2010

Thoughts on OS virtualization & Bare Metal virtualization

OS Virtualization - OpenVZ/Virtuozzo/OpenLXC
Bare Metal Virtualization - Vmware/Citrix/Hyper-V

Benefits of OS Virtualization:
1)Complete isolation of the processes running, like the BSD jails.
2)No kernel stack overhead on the system as the containers share the same kernel from the host machine.
3)Around 1-2% total overhead on the system as compared to the full virtualization.
4)No locking of resources to the virtual machines. Locked dedicated resources can only be used by that virtual machine in full virtualization model. In OS virtualization it can be shared between multiple isolated environments if the particular container is not using that resource. This provides efficient resource utilization.
5)All Containers are at the same kernel patch level as that of the host OS. Hence less management is required for updating.
6)Fast application deployment through Template Caching & Management.
7)Fast package management through Local repository servers running as containers.
8)VZ architecture uses common file system for the containers, so each virtual environment is just separated by the chroot parameters.
9)The virtual machine can be cloned just by copying the files in one directory to another and creating the config file.
10)OS virtualization parameters :
Files: System libraries,applications, virtualized /proc and /sys, virtualized locks, etc
Users & groups: own root user as well as groups.
Process: A container only sees its own processes.PID are virtualized so the init PID looks like 1.
Network: Virtual network devices with Host routed & bridged mode,Netfilter module support and private routing tables.
Devices: If needed any container can be granted access to real devices like Network interfaces,serial ports,disk partitions by bypassing it to specific containers or by virtualizing it.
IPC objects: Shared memory model support,etc.
11)Two level disk quotas, fair cpu scheduler & UBC (User bean counters) these parameters can be changed at runtime eliminating the need for reboot.
12)CPU unit parameter gives total control of the CPU Time utilization priority.
13)I/O schedular priorities can also be decided for the containers.
14)Live Migration using check pointing.

Limitations of the OS Virtualization:
1)This Virtualization technology only supports VPN technologies like PPP & TUN/TAP.
2)IPSec crypto is not supported as of now.
3)Host OS kernel is responsible for all container operations, issues in this kernel can hamper the whole containers.
4)If Host OS is compromised, the whole containers are compromised. Strong security policies needs to be maintained on Host OSes.
5)No complete isolation of resources, hence causes some latency issues in selected scenarios.

No comments:

Post a Comment